Adivisory Name : Yahoo! Mail XSS Vulnerability Release Date : 2006.04.21 Application : Yahoo! web-based email service Test On : Microsoft IE 6.0 Discover : Cheng Peng Su(applesoup_at_gmail.com) Description: Yahoo! Mail is one of the Internet's most popular web based email solutions. Details: This vulnerability is resulted from the failure of Yahoo! Mail's filtering engine to block "expression()" syntax in a CSS attribute using a comment to break up expression, and the comment symbol( /* */ ) must be hex encoded so that we can bypass the filter. An example: <SPAN STYLE="width:ex/* good */pression(alert());">Hello</SPAN> the injected code inside the CSS attribute is responsible for -Getting cookies. -Potential web-based e-mail worm. Vender status: 2006.04.01 Informed the vendor. 2006.04.03 The vendor confirmed the vulnerability. 2006.04.XX The vendor patched the vulnerability. ( They patched it silently ) Original advisory: http://applesoup.googlepages.com/yahoo_mail_xss.txt
